From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:37099)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <berrange@redhat.com>) id 1Zi17F-0007lL-0W
	for qemu-devel@nongnu.org; Fri, 02 Oct 2015 10:15:18 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <berrange@redhat.com>) id 1Zi179-0008SW-AF
	for qemu-devel@nongnu.org; Fri, 02 Oct 2015 10:15:16 -0400
Received: from mx1.redhat.com ([209.132.183.28]:45122)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <berrange@redhat.com>) id 1Zi179-0008Rq-5N
	for qemu-devel@nongnu.org; Fri, 02 Oct 2015 10:15:11 -0400
Date: Fri, 2 Oct 2015 15:15:05 +0100
From: "Daniel P. Berrange" <berrange@redhat.com>
Message-ID: <20151002141505.GF28469@redhat.com>
References: <N1-fOl1digGhI@Safe-mail.net>
	<87r3leztbr.fsf@blackfin.pond.sub.org>
	<20151002083047.GA28469@redhat.com>
	<87twq9bn5l.fsf@blackfin.pond.sub.org>
	<20151002140820.GB25464@vader>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <20151002140820.GB25464@vader>
Subject: Re: [Qemu-devel] [PATCH] Add syscalls for -runas and -chroot to the
 seccomp sandbox
Reply-To: "Daniel P. Berrange" <berrange@redhat.com>
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Markus Armbruster <armbru@redhat.com>, Namsun Ch'o <namnamc@Safe-mail.net>, qemu-devel@nongnu.org

On Fri, Oct 02, 2015 at 04:08:20PM +0200, Eduardo Otubo wrote:
> On Fri, Oct 02, 2015 at 12=05=58PM +0200, Markus Armbruster wrote:
> > "Daniel P. Berrange" <berrange@redhat.com> writes:
> > 
> > > On Thu, Oct 01, 2015 at 02:06:32PM +0200, Markus Armbruster wrote:
> > >> "Namsun Ch'o" <namnamc@Safe-mail.net> writes:
> > >> 
> > >> > The seccomp sandbox doesn't whitelist setuid, setgid, or
> > >> > setgroups, which are
> > >> > needed for -runas to work. It also doesn't whitelist chroot, which is needed
> > >> > for the -chroot option. Unfortunately, QEMU enables seccomp before it drops
> > >> > privileges or chroots, so without these whitelisted, -runas and
> > >> > -chroot cause
> > >> > QEMU to be killed with -sandbox on. This patch adds those syscalls.
> > >> 
> > >> Should it enable seccomp a bit later?
> > >
> > > Yeah, I think it would be better to move the seccomp enablement later.
> > 
> > Let's do that then.
> 
> Where exactly you guys think we could call seccomp enablement? Right
> it's called (almost) right before cpu_exec_init_all(), on vl.c:4013. I
> guess it is as later as it could.

It depends on what you consider seccomp to be protecting against. I think
its primary goal is to protect against exploit after a guest OS breakout,
in which case it does not need to be enabled until the guest CPUs start
executing, which IIUC, means immediately before main_loop().

If we intend seccomp to protect against flaws during QEMU setup, then having
it earlier is neccessary. eg QEMU opening a corrupt qcow2 image which might
exploit QEMU before the guest CPUs start.

If the latter is the case, then we could start with a relaxed seccomp
sandbox which included the setuid/chroot features, and then switch to a
more restricted one which blocked them before main_loop() runs.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|